From c194beb20b58f5f1f95af7d5d6fd2dd4f7a74d0e Mon Sep 17 00:00:00 2001 From: Evan Parker Date: Fri, 30 Jan 2026 15:01:57 -0700 Subject: [PATCH 1/4] Add "tier2" label to test_check_crtm_random See title. --- test/CMakeLists.txt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 40859bc..2425cfc 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -293,7 +293,12 @@ add_executable(test_check_crtm_random mains/application/check_crtm_random_profi target_link_libraries(test_check_crtm_random PRIVATE crtm) add_test(NAME test_check_crtm_random COMMAND test_check_crtm_random) -set_tests_properties(test_check_crtm_random PROPERTIES ENVIRONMENT "OMP_NUM_THREADS=$ENV{OMP_NUM_THREADS}") +set_tests_properties( + test_check_crtm_random + PROPERTIES + ENVIRONMENT "OMP_NUM_THREADS=$ENV{OMP_NUM_THREADS}" + LABELS tier2 +) add_executable(Unit_TL_TEST mains/unit/Unit_Test/test_TL.f90) From fd761902cf13bf522393a7f2da419b52fe664481 Mon Sep 17 00:00:00 2001 From: Evan Parker Date: Fri, 30 Jan 2026 15:55:56 -0700 Subject: [PATCH 2/4] Update start-jedi-ci.yaml Add secret debug. Also I think the answer is that the secret key has to be in the fork repo. So there needs to be a workaround to fix this. --- .github/workflows/start-jedi-ci.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/start-jedi-ci.yaml b/.github/workflows/start-jedi-ci.yaml index 902dde8..27471f0 100644 --- a/.github/workflows/start-jedi-ci.yaml +++ b/.github/workflows/start-jedi-ci.yaml @@ -14,6 +14,12 @@ jobs: id-token: write contents: read steps: + - name: Debug secret availability + run: | + echo "event=${{ github.event_name }}" + echo "actor=${{ github.actor }}" + echo "from_fork=${{ github.event.pull_request.head.repo.fork || 'n/a' }}" + echo "has_key=${{ secrets.CI_APP_PRIVATE_KEY != '' }}" - name: Generate CI App token id: generate-token From 7de652194bbc8bd3c065bbb79f8ee5ff1a23bc69 Mon Sep 17 00:00:00 2001 From: Evan Parker Date: Fri, 30 Jan 2026 16:12:36 -0700 Subject: [PATCH 3/4] Use pull_request_target and gated environment. --- .github/workflows/start-jedi-ci.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/start-jedi-ci.yaml b/.github/workflows/start-jedi-ci.yaml index 27471f0..e548d2f 100644 --- a/.github/workflows/start-jedi-ci.yaml +++ b/.github/workflows/start-jedi-ci.yaml @@ -1,7 +1,7 @@ name: start-jedi-ci on: - pull_request: + pull_request_target: branches: - 'master' - 'main' @@ -13,13 +13,11 @@ jobs: permissions: id-token: write contents: read + + # Checks in this environment must be approved by reviewers configured in "Settings" -> "Environments". + environment: fork_pull_secrets + steps: - - name: Debug secret availability - run: | - echo "event=${{ github.event_name }}" - echo "actor=${{ github.actor }}" - echo "from_fork=${{ github.event.pull_request.head.repo.fork || 'n/a' }}" - echo "has_key=${{ secrets.CI_APP_PRIVATE_KEY != '' }}" - name: Generate CI App token id: generate-token @@ -28,7 +26,7 @@ jobs: # Owner is specified to scope the token to the org install # otherwise the token will be scoped to the repository. app-id: 321361 - private-key: ${{ secrets.CI_APP_PRIVATE_KEY }} + private-key: ${{ secrets.CI_APP_PRIVATE_KEY_FORK }} owner: JCSDA - name: checkout repository From a494ebc9d2233033c324ac980b1a1a1f256ffe86 Mon Sep 17 00:00:00 2001 From: Evan Parker Date: Fri, 30 Jan 2026 16:29:51 -0700 Subject: [PATCH 4/4] environment not needed, action permission is a global setting. --- .github/workflows/start-jedi-ci.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/start-jedi-ci.yaml b/.github/workflows/start-jedi-ci.yaml index e548d2f..f6803c4 100644 --- a/.github/workflows/start-jedi-ci.yaml +++ b/.github/workflows/start-jedi-ci.yaml @@ -13,10 +13,6 @@ jobs: permissions: id-token: write contents: read - - # Checks in this environment must be approved by reviewers configured in "Settings" -> "Environments". - environment: fork_pull_secrets - steps: - name: Generate CI App token @@ -26,7 +22,7 @@ jobs: # Owner is specified to scope the token to the org install # otherwise the token will be scoped to the repository. app-id: 321361 - private-key: ${{ secrets.CI_APP_PRIVATE_KEY_FORK }} + private-key: ${{ secrets.CI_APP_PRIVATE_KEY }} owner: JCSDA - name: checkout repository